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PG PUB -DOCUMENT -NUMBER : 20020095499 
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TITLE: Delegated administration of information in a database directory using attribute 
permissions 

PUBLICATION-DATE: July 18, 2002 



INVENTOR- INFORMATION: 
NAME 
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US-CL- PUBLISHED: 709/226; 709/223 
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REPRESENTATIVE-FIGURES : 1 



ABSTRACT : 



A delegated administrative tool for administrating information in a database directory using 
attribute permissions. The delegated administrative tool enables an administrator to form 
administrative domains and sub -domains having user attribute permissions that define 
administrative operations that an administrator can and cannot perform on a user attribute. 
Also, the delegated administrative tool enables an administrator to define restricted values 
for assigning to the user attributes. 
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DATE FILED: January 16, 2001 
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Application is a non-provisional-of-provisional application 60/241645, filed October 19, 2000, 
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REPRESENTATIVE-FIGURES : 4 



ABSTRACT : 



A delegated administration tool for administrating information in a database directory . The 
delegated administration tool enables an administrator to delegate administration and various 
types of administrative authority to other users within a community of users. In particular, an 
administrator with proper authority may create new administrative domains and assign authority 
referred to as delegation authority and edit authority to other users. The creation of 
additional administrative domains and the assignment of the delegation authority and edit 
authority can continue to an arbitrary level within the community. 

CROSS REFERENCE TO RELATED APPLICATIONS 

[0001] This application claims the benefit of U.S. Provisional Application Serial No. 
60/241,645 filed on Oct. 19, 2000, and entitled "Approach And Design For Software To Facilitate 
Delegated Administration Of Information In A Database Directory, " which is incorporated by 
reference herein in its entirety. 
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General Electric Company 02 

APPL-NO: 09/ 761000 [PALM] 
DATE FILED: January 16, 2001 

RELATED-US-APPL-DATA: 

Application is a non-provisional-of-provisional application 60/241645, filed October 19, 2000, 

INT-CL: [07] GO 6 F 7/00 

US-CL-PUBLISHED: 707/9 
US-CL-CURRENT: 707/9 



REPRESENTATIVE-FIGURES : 4 



ABSTRACT : 

A delegated administration tool for administrating information in a database directory . The 
delegated administration tool enables an administrator to delegate administration and various 
types of administrative authority to other users within a community of users. In particular, an 
administrator with proper authority may create new administrative domains and assign authority 
referred to as delegation authority and edit authority to other users. The creation of 
additional administrative domains and the assignment of the delegation authority and edit 
authority can continue to an arbitrary level within the community. 

CROSS REFERENCE TO RELATED APPLICATIONS 



[0001] This application claims the benefit of U.S. Provisional Application Serial No. 
60/241,645 filed on Oct. 19, 2000, and entitled "Approach And Design For Software To Facilitate 
Delegated Administration Of Information In A Database Directory, " which is incorporated by 
reference herein in its entirety. 
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US-CL-CURRENT: 726 /4 

REPRESENTATIVE-FIGURES: 2 



ABSTRACT: 

Content resources are managed. A request is received from a user for access to a source of 
content resources. It is determined that the user is authorized for access to the source. A 
portal Web page is generated based on a set of content element data applicable to the 
subscriber. The portal Web page is returned to the user. A system for use in managing content 
resources has a switch for receiving requests from Web browsers, a content resource management 
engine in communication with the switch, and a billing system in communication with the content 
resource management engine. 

CROSS-REFERENCE TO RELATED APPLICATIONS 

[0001] This application claims the benefit of U.S. Provisional Application Serial No. 
60/222,038 entitled "DIRECTORY-ENABLED BROADBAND SERVICE NETWORK," filed on Jul. 31, 2000, 
which is incorporated herein by reference. 
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□ 124. Document ID: US 20020062451 Al 

L19: Entry 124 of 160 File: PGPB May 23, 2002 

PGPUB- DOCUMENT -NUMBER : 20020062451 
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DOCUMENT- IDENTIFIER : US 20020062451 Al 

TITLE: System and method of providing communication security 
PUBLICATION-DATE: May 23, 2002 
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ABSTRACT : 

A process of checking the authorization and authenticity of an application provided by a user 
includes authenticating an application authentication file against a domain administrators 
public membership key. An application executable is then hashed, and the application hash 
result is compared to an authentication hash contained in the application authentication file. 
At this point, services are denied to the application if the application hash and the 
authentication hash do not match. Configuration assignments in the application authentication 
file are decoded if the application hash and the authentication hash match. The decoded 
configuration assignments are compared to the user's configuration assignments. Services are 
provided to the application if the result of the decode is favorable. Services are denied to 
the application if the result of the decode is not favorable. 

INCORPORATION BY REFERENCE 



[0001] This document incorporates by this reference, the entire disclosures 'of the following 
U.S. patent applications and patents: 08/974,843 filed Nov. 20, 1997; 09/108,312 filed Jul. 1, 
1998; 09/0123,672 filed Feb. 13, 1998; and 60/098,915 filed Sep. 1, 1998. This document also 
incorporates by reference U.S. Provisional Patent Application No. 60/204,385, which was filed 
on May 15, 2000. 
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FOREIGN- PAT -NO PUBN-DATE COUNTRY US-CL 
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OTHER PUBLICATIONS 
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PRIMARY-EXAMINER : Thompson; Marc D. 
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ABSTRACT : 

The present invention provides an electronic message management system (EMS) that includes a 
real-time feedback loop where data is collected from the electronic messages on incoming 
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connection attempts, outgoing delivery attempts, and message content analysis, and written to a 
centralized data matrix. A separate process accesses the data matrix and analyzes trends in 
that data. The detected data patterns, trends or behavior is based on configuration parameters 
for the recipient. Based on these determinations, the process is able to instruct components in 
the EMS to accept, redirect, refuse, modify, defer, or otherwise dispose of the connection 
request, the delivery attempt, or the message. Associated methods for managing the transmission 
of electronic messages are also disclosed. 

105 Claims, 18 Drawing figures 
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PR I MARY -EXAMINER : Amsbury; Wayne 
ATT Y-AGENT- FIRM: Fletcher Yoder 



ABSTRACT: 

Searching and matching a set of query strings used for accessing information in a database 
directory . In this disclosure, a user community administration tool queries a database 
directory containing user information associated with a user community. In the user community 
administration tool, there is an input query generation component that generates an input query 
having a search pattern that includes a combination of attribute names, logical, operators and 
attribute values. An accessing component accesses a library of queries used for accessing the 
user information in the database directory . A partitioning component partitions each of the 
queries in the library into logical units. Each logical unit comprises a combination of an 
attribute name, logical operator and attribute value. A comparing component compares the search 
pattern of the input query to each partitioned logical unit for each of the queries in the 
library. The comparing component compares the attribute name of the input query to the 
attribute name in the logical unit, the operator used in the input query to the operator used 
in the logical unit and the attribute value in the input query to the attribute value in the 
logical unit. A determining component determines whether there is a match between the input 
query and any of the logical units associated with each of the queries in the library. 

29 Claims, 16 Drawing figures 
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computing and remote execution of web applications. Lotus Domino Offline Services (DOLS) is 
used by a web site administrator to configure Internet Notes (iNotes) clients to auto download 
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by a web site administrator to configure Internet Notes (iNotes) clients to auto download from 
server, thus providing iNotes clients with web access using HTTP with various browsers, and 
with local processing and replication. A local run time model comprises a hierarchy of models 
including object data store model, security model, indexing model, replication model, agent 
workflow model and mail model. DOLS provides a layered security model that allows flexibility 
for controlling access to all or part of an application. The highest level of security is 
managed through a database access control list (ACL) . Further refinements within the security 
model provide access to specific documents, and their views, forms or folders, and include read 
access lists, write access lists, form access lists and readers and authors fields. 
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A delegated administration tool for administrating information in a database directory . The 
delegated administration tool enables an administrator to delegate administration and various 
types of administrative authority to other users within a community of users. In particular, an 
administrator with proper authority may create new administrative domains and assign authority 
referred to as delegation authority and edit authority to other users. The creation of 
additional administrative domains and the assignment of the delegation authority and edit 
authority can continue to an arbitrary level within the community. 
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A computer system has a management service, such as a distributed directory, having a plurality 
of objects and an access control mechanism. The computer system also has a resource, such as a 
data store, with a security system. A first object in the management service represents a 
requester and a second object represents the resource. A broker has access to the management 
service and the resource, and is operative to determine whether the first object has rights to 
access the second object, and if such rights exist, allow the requester to access the resource. 
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DOCUMENT- IDENTIFIER : US 6192405 Bl 

TITLE: Method and apparatus for acquiring authorized access to resources in a distributed 
system 

Drawing Description Text (8) : 

FIG. 6 depicts a computer system and the interrelationship between a user, and e-mail system 
acting as a broker, a distributed directory, a database, and an administrator program; 

Detailed Description Text (6) : 

When a group of computers are connected to one another, such as in a client/server network, a 
management service is typically used to organize, administer, and provide access to information 
and resources across the network. Management services usually access or include a collection of 
objects that represent a variety of things. For instance, some typical objects represent users, 
groups, printers, computers, and the like. In some management services, objects are organized 
in flat domains such as the SECURITY ACCOUNTS MANAGER ("SAM") of WINDOWS NT. 

Detailed Description Text (22) : 

Directory security is usually used in conjunction with login security, where directory security 
is not used unless login security has been first verified. While directory security can vary 
greatly, it generally comprises two parts: file system security and object security. File 
system security provides access control to files and directories, and basically involves 
assigning trustee rights and file/directory attributes. Trustee rights assignments can be 
granted to any object in the distributed directory including container objects, user objects, 
group objects, and organization roles. Examples of such rights include access control, 
supervisor, read, write, create, erase, modify, and file scan. In contrast, file/directory 
attributes control what actions can or cannot be taken on a file or directory. For example, 
certain files could be flagged as "read only" and "shareable" to prevent any unintentional or 
intentional deletions of such files or directories. 

Detailed Description Text (58) : 

In addition to these new object classes, the administrator 107 also extends the following 
existing object classes: (i) User, (ii) Group, (iii) Organization, (iv) Organizational Unit, 
and (v) Country. 

Detailed Description Text (75) : 

These modifications allow forms to be associated with an specific " User " object, " Group ", 
"Organization", "Organizational Unit" or "Country". The administrator 107, in addition to 
allowing these associations to be configured for each of these objects, also creates an ACL on 
the Forms object 104 with the "Read" right to all attributes for each association made to a 
Forms object 104. 

Detailed Description Text (100) : 

In step 165, the Forms Processor Client 113 is in "Service" mode and waits for an appropriate 
command. When the "Form Request" dialog is invoked in step 166, the Forms Processor Client 113 
presents the user 108 with a list of all available forms on the "Form Request" dialog. This 
involves reading the current authenticated NDS object 102 "Forms" attribute, reading the 
"Forms" attribute of all the NDS groups the current user is a member, reading each container 
above the current authenticated object up to the [Root], and place all values in an internal 
object list. At step 168, the user 108 simply double-clicks the form of interest on the list 
and the request is submitted in step 169 to the Forms Processor Server 112. The Forms Processor 
Server 112 processes the request and responds with a custom message type, as discussed above. 

Detailed Description Text (102): 
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The computer system 100 provides the capability for NDS/GROUPWISE clients to request and submit 
data from a database 109 while leveraging NDS authentication and using the secure transport of 
GROUPWISE. A GROUPWISE client with the Forms Processor Client 113 loaded can request to request 
a form by clicking on the Request Form tool bar button. This launches the Request Form dialog 
box. Enumerated on this dialog box are the Form objects 104 the user 108 has been granted 
rights to request. This is accomplished by reading the Form associations from the current 
authenticated user object 102, the groups this user is member of, and each of the containers 
above this user object up to [Root] . The user 108 can then request one of the enumerated forms 
from that dialog. 
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ABSTRACT : 

The present invention provides a method and apparatus for managing links between documents and 
other data structures, such as applications. Search mechanisms may include a directory services 
search engine for locating objects. A directory object data structure search engine may 
evaluate, search, or the like, various objects to obtain important information contained in 
attributes or data members thereof. An association list handler may be a search engine for 
searching association lists stored as attributes of objects for identifying desired documents. 
A standard query data structure may be applied by a query resolver to a document location table 
identified by a document location object. A query generator may be responsible to formulate the 
standard query data structure, or for formulating queries for all three types of search 
engines. A directory services database may be searched for an object. An object may be searched 
for a particular data member or attribute. A table may be pointed to by a directory services 
object. The table may.be searched for an identification or distinguished name associated with a 
specific document desired. Likewise, fuzzy logic may be applied to obtain documents that are 
similar to desired documents that are similar to desired documents, rather than identical. 

33 Claims, 14 Drawing figures 
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DOCUMENT- IDENTIFIER : US 6049799 A 

TITLE: Document link management using directory services 



Brief Summary Text (12): 

It is an object of the invention to provide a new type of directory services object that may be 
used to provide document management of documents accessed by users, groups of users, 
organizations, and the like. 

Detailed Description Text (47) : 

For example, the add executable 106 may include a test beginning at a closest proximity to a 
user or an application 74. Accordingly, criteria may include a test to identify a user 
identified in an access list, or search lists of a user 1 s membership in a particular group or 
organization. Tests may evaluate contents, titles, or paths similar to those of a desired 
document. Such information may help determine that a high probability exists for a document 144 
to be included for consideration by a user, if an exact match is not found. 

Detailed Description Text (62): 

A leaf object, such as a user object 128, Docloc object 130, or group object 120 does not 
contain other objects. A group object 120 identifies members of a group. Thus, a group object 
120 may include certain rights 122 and similar attributes. However, a significant feature of a 
group object 120 is a membership list 124. Typically, a membership list 124 may contain a list 
of distinguished names 126. Distinguished names are unique names identifying member objects 113 
that pertain to a group 120 defined by the group object 120. 

Detailed Description Text (95) : 

Alternatively, one may think of the individual distinguished names 198 contained in a 
membership list 124 as individual attributes as' well. The distinguished names 198 may identify 
users, for example, or user objects 128 having some relationship to the group object 120. A 
group object 120 may be thought of as defining a group 120. 

Detailed Description Text (101) : 

Querying responsibilities may be allocated to the directory services search engine 138 to find 
a Docloc object 130, 132, a user object 128, a group object 120, or a container object 114. 
Meanwhile, responsibility may be placed upon the association ' list handler 88, in conjunction 
with, or independently of, the directory services search engine 138 to query association lists 
118, 136, 200 to identify objects 113 identified therein by respective distinguished names 160, 
180, 210, and the like. Meanwhile the query resolver 84 may be allocated the single 
responsibility of querying or resolving a query directed to a Docloc table 140, a Docloc object 
130, or the like. 

Detailed Description Text (158) : 

Failing to find the desired document 144 by looping 330 through all Docloc objects 130 
identified in or by the user object 128, the loop step 330 may loop outward through group 
objects 120 related to the user object 128. Again, the nested looping 330 continues through the 
Docloc objects 130 referenced by the group object 120. 

Detailed Description Text (160) : 

Similarly, all container objects 114, which may be thought of as parent objects 114 to user 
objects 128 or even group objects 120, may be looped through 330, in turn. An objective of a 
loop step 330 is to loop through each type of object 113 (e.g. Docloc objects 130, user objects 
128 ' group objects 120, container objects 118) in order to identify a desired Docloc object 
130. 
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Detailed Description Text (162) : 

Each time a loop step 330 loops through a particular type of object 113 (e.g. container object 

group object 120, user object 128, Docloc object 130), it should ultimately arrive at a 
Docloc object 130, if available. A query data structure 80, or query 80, in combination with a 
query resolver 84 (see FIG. 2) may then evaluate the attributes 214 of the Docloc object 130, 
and vector to a Docloc table 140. Likewise, a query 80 or standard query data structure 80 in 
combination with a query resolver 84 (distinct from such for querying a Docloc object 130) may 
query a Docloc table 140 to find a file name 280 and path 282 corresponding to a desired 
document 144. Thus, in FIG. 11 the resolve query step 334 may be thought of as querying a 
Docloc table 140 to find an appropriate file name 280 and path 282 corresponding to a desired 
document 144. 

Detailed Description Text (166) : 

After a resolve query step 334, a test 340 may determine whether or not an exact match for a 
desired document 144 has been located in a Docloc table 140. If not, a test 342 may determine 
whether or not the traverses of all suitable objects 113 (e.g. Docloc objects 130, 132, user 
objects 128, group objects 120, and container objects 114 or parent objects 114) have been 
exhausted. If not, the nested, looping step 330 continues. If the traverse is complete, or an 
exact match was found, the process 320 advances. 

Detailed Description Text (183) : 

In general, the provide distinguished name step 366 may be thought of as providing a particular 
distinguished name corresponding to any type of object 213. For example, a Docloc object 130, 
132, a user object 128, a group object 120, or a container object 114 may be thought of as a 
"type" or class of object 113 in a directory services database 112. 

Detailed Description Text (184) : 

A nested looping may traverse through all Docloc objects 130, 132, followed by user objects 
128, followed by group objects 120, and container objects 114 (parent objects 114) . The looping 
may rely on a provide step 366 providing a next distinguished name of the appropriate type of 
object 113. Thus, the provide step 366 may initially provide a distinguished name 213 • 
corresponding to a Docloc object 130, 132. 

Detailed Description Text (186): 

A search step 370 may be responsible for searching through one or more directory services 
databases 112 to find the desired type of object 113 (e.g. Docloc objects 130, 132, user object 
128, group object 120, container object 114) in question. In one presently preferred 
embodiment, the search step 370 searches for a distinguished name 213, 170, 190, 150, as 
appropriate. In one embodiment, the directory services search engine 138 may execute the search 
step 370. 

Detailed Description Text (202) : 

The find step 390 and the provide step 366, combine to step through each of the distinguished 
names 160, 180, 210 in the respective association lists 118, 136, 200 as the process 350 loops 
through each of the respective objects 114, 128, 120. In one currently preferred embodiment, as 
discussed, the process 350 loops in a nested fashion first through Docloc objects 130, then 
user objects 128, then group objects 120, then container objects 114 (parent objects 114) . 

CLAIMS : 

5. A method for managing a link to a document, the method comprising: 

providing a network directory services system for storing and managing a directory services 
database of directory services objects, including a document location object, being an instance 
of a directory services object, linked together in a hierarchy over a network; 

providing a link management module for reestablishing a link to a lost document by searching 
through multiple environments across the network to find the location of the lost document, the 
link management module being independent from the directory services system and programmed to 
query the directory services system to find the document location object corresponding to the 
lost documents- 
providing a file server storing a plurality of documents, including the lost document; 
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generating a query containing information corresponding to the link failure; 

traversing, by the link management module, the directory services database to locate the 
document location object corresponding to the documents- 
reestablishing, by the link management module, the link. 
15. A method for managing a link to a document, the method comprising: 

providing a network directory services system for storing and managing a directory services 
database of directory services objects, including a document location object, being an instance 
of a directory services object, linked together in a hierarchy over a network of nodes, each 
node containing a processor effective to execute executables; 

executing an installation utility programmed to install the document on a node, the 
installation utility being independent from the directory services system; 

providing information effective to locate the document; and 

storing to the document location object in the directory services database attributes 
reflecting the information. 

20. An apparatus for managing links to documents within a network of nodes, the nodes including 
a user station, file server, and directory services server, the apparatus comprising: 

the user station programmed to execute a link management module for searching through multiple 
environments across the network to find and link a lost document to the user station; 

a file server storing a plurality of documents, including the lost document; 

a directory services system comprising a directory services database, containing directory 
services objects, including a document location object, being an instance of a directory 
services object, linked together in a hierarchy, and programmed to execute a search engine 
effective to search the directory services database for the directory services objects 
associated with the lost document 

the link management module being independent from the directory services system and programmed 
to query the directory services system to find the document location object corresponding to 
the lost document. 

23. The apparatus of claim 22, wherein the directory services database stores objects selected 
from the document location object, a user object, group object, and container object, the 
document location object being comparatively closest to the link and containing pointing data 
for identifying the document. 
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ART-UNIT: 2131 

PRIMARY-EXAMINER: Wright; Norman M. 
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A security and access management system provides unified access management to address the 
specific problems facing the deployment of security for the Web and non-Web environment. 
Unified access management consists of strategic approaches to unify all key aspects of Web and 
non-Web security policies, including access control, authorization, authentication, auditing, 
data privacy, administration, and business rules. Unified access management also addresses 
technical scalability requirements needed to successfully deploy a reliable unified Web and 
non-Web security system. The security and access management system provides the technology 
required to support these key factors as they relate to Web and non-Web security. The security 
and access management system operates in combination with network and system security tools 
such as firewalls, network intrusion detection tools, and systems management tools to provide 
comprehensive security for the Web-enabled enterprise. 

3 Claims, 37 Drawing figures 
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DOCUMENT- IDENTIFIER: US 6460141 Bl 

TITLE: Security and access management system for web-enabled and non-web-enabled applications 
and content on a computer network 



Detailed Description Text (20) : 

The security and access management system 10 provides a highly flexible and scalable data model 
for defining both accessibility of resources and applications and data model administration 
policy. While the security and access management system 10 provides out-of-the-box support for 
Web-based applications, the security and access management system is also powerful and flexible 
enough to secure proprietary applications, such as the applications which run on the non-Web 
server 30 shown in FIG. 1. Security policy is defined using an access control architecture. 
Through the access control architecture, protected resources are associated with resource 
consumers, defining access control policy. Additionally, the security and access management 
system 10 provides a robust administration architecture, securing access to the entitlements 
database 32. Through the administration architecture, a user is associated with administrative 
rights and ownership, defining an administrative policy. 

Detailed Description Text (25) : 

The resource consumer architecture 56 also provides a containment hierarchy or containers 74 of 
users 68. This allows an administrator to more easily assign access rights to a large group of 
users 68 without having to assign rights individually. A user 68 can be grouped together into a 
group object 76. Group objects 76 likewise can be grouped together into a realm object 78. 

Detailed Description Text (46) : 

User means a single user of Web applications protected by the security and access management 
system 10, using various user properties such as username, password, e-mail address, IP 
address, etc. Group means a collection of users, grouped together for ease of administration. 
Groups have specific properties. A realm is a collection of groups. A realm contains all of the 
users within the component groups of the realm. Entity means a user, group, or realm. 

Detailed Description Text (49) : 

An administrative group is a set of ownable resources that is configured to be under the 
control of a particular set of administrators. Administrative role means a role defining the 
types of operations an administrator can perform on a particular administrative group. An 
ownable resource is one of all of the types of resources defined in the security and access 
management system 10, which can fall under the control of an administrative group. They arej_ 
user, group, realm, application, Web server, administrative roles, and user property 
definitions. Other resources, such as entitlements and smart rules, are owned by default by the 
group that owns the related application, property, or user/qroup /realm. 

Detailed Description Text (50) : 

As mentioned earlier, the security and access management system 10 encompasses various 
concepts. These concepts include users, groups, and realms. 

Detailed Description Text (52) : 

A group is a collection of users. Any action applied to a group is automatically applied to 
every user in that group . Consequently, granting a group access to an application automatically 
gives each user in that group access to that application. The same rule applies for restricting 
application access and various other features. The exception to this rule is deleting a group. 
If a group is deleted, the users in that group are no longer members of that group, and none of 
the security settings applied to that group continues to apply to those users. However, 
deleting a group does not delete any of the users in that group . Users must be deleted 
individually to remove their information from the entitlements database 32 and make them 
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Detailed Description Text (58) : 

As shown in FIG. 5, a user can be associated with any number of administrative roles. An 
administrative role can be associated with any number of users. An administrative group can 
contain any number of users, groups, or realms. 

Detailed Description Text (66) : 

The security and access management system 10 allows a security administrator to create an 
unlimited number of users, each with individual defining properties. The administrator can 
further collect users into groups and groups into realms. Additionally, users can be in 
multiple groups. This feature is useful for administrators trying to mimic organizational 
structure (for example, user John Doe may be in the promotions group, which is in the marketing 
realm) or geography (user Jane Doe is in the Paris group, which is in the Europe realm), or any 
other type of grouping. The user/group / realm concept is also important for setting permissions 
and entitlements, as will be described later in connection with the description of the Basic 
Entitlements page. 

Detailed Description Text (67) : 

In order to find a particular user, group, or realm in the list box, an administrator can 
scroll through the list of entities or use the Search function. In order to use Search, the 
administrator enters the desired name or name fragment in the field, and clicks the Search 
button. If a full name is typed into the Search field, that name will automatically appear at 
the top of the list box. If a fragment is typed into the Search field, the first name beginning 
with that fragment will appear at the top of the list box. The Search function is indexed 
differently depending on the type of entity selected. For users, the Search function indexes on 
last name. For groups and realms, the Search function indexes on the group or realm name. 

Detailed Description Text (68): 

Users logged in using administrative roles with the proper permissions can create users, 

groups, or realms. In order to create a user, Users is selected in the entity menu. Clicking 

the Create button brings up the Create User dialog window, as shown in FIG. 9. 

Detailed Description Text (73) : 

The Create User window also comprises a Super User checkbox. A user must be an administrator to 
be designated a Super User. If a user is both an administrator and a Super User, he or she can 
perform any action on any user, group, realm, or application. Care is typically exercised when 
applying Super User status to administrators. 

Detailed Description Text (78) : 

When creating a user, group, or realm, an administrator should be aware of his or her current 
administrative role and the administrative group associated with that role. Any user, group, or 
realm created is automatically associated with that administrative group. Consequently, if an 
administrator can create users as both the marketing administrator and the engineering 
administrator, for example, it is preferable to create marketing and engineering users while 
working in the appropriate roles. 

Detailed Description Text (80) : 

On the one hand, in order to add users to a group, Users is selected in the entity menu. The 
user list appears in the entity list box. Then, the Select Group button is clicked. The Group 
List dialog window will appear. The group to be populated is then selected, and the OK button 
is clicked. In order to include users in that group, the user to be added is highlighted to 
select the user, and the Add Arrow button is then clicked. 

Detailed Description Text (81) : 

On the other hand, in order to remove users from a group, Users is selected in the entity menu, 
and the appropriate group is also selected, as described above. The user to be removed is then 
highlighted to select the user from the Group Members list box. In order to remove the selected 
user, the Remove Arrow button is then clicked. 

Detailed Description Text (83) : 

In order to edit a user, group, or realm, Users, Groups, or Realms is selected from the entity 
menu. All of the available entities of that type then appear in the list box below. The user, 
group, or realm to be modified is then highlighted to select the entity, and then the Modify 
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button is clicked. The Modify dialog window appears. The Modify dialog window is identical to 
the Create dialog window, but contains all of the current user/ group / realm information, which 
can be edited. Once the fields in the Modify dialog window have been changed, OK is clicked to 
complete the Modify, or the Cancel button is clicked to abort. 

Detailed Description Text (84) : 

In order to delete an entity, the appropriate entity type ( Users, Groups, or Realms) from the 
entity menu is selected. Then, the entity or entities to be deleted from the list box are 
highlighted. The Delete button is pressed to delete the user, group, or realm. 

Detailed Description Text (85) : 

Deleting a group or user is different from removing a group from a realm, or a user from a 
group . A deleted group is gone. The component users still exist, but the group information is 
deleted, and any entitlements applied to that group are deleted as well, and the group is 
automatically deleted from any realm which contained that group. A group removed from a realm 
still exists. However, the group is simply no longer governed by entitlements applied to that 
realm. Similarly, a deleted user is gone. All of the user information is removed from the 
entitlements database 32. Deleting a user automatically removes that user from all groups, and 
a deleted user cannot be added to any group. A removed user is no longer a member of that 
group, but is still in the entitlements database 32 and is available to be added to any group. 
Consequently, care is typically exercised when deleting users, groups, or realms. 

Detailed Description Text (96) : 

Entitlements are defined and administered using the Basic Entitlements page, as shown in FIG. 
17. By adding entitlements using the security and access management system 10, entitlements to 
particular applications can.be assigned to users, groups, or realms with ease. First, the 
administrator selects the user, group, or realm to be granted the entitlement. This is similar 
to the selection process on the Users page, described earlier. The appropriate entity is then 
selected from the entity menu. Clicking the left Choose button brings up a list of all 
available users, groups, or realms. The entity to be administered is selected from this list, 
and the Choose button is clicked. All of the entitlements for the selected user, group, or 
realm appear in the Basic Entitlements list box. 

Detailed Description Text (98) : 

In order to grant a Basic Entitlement to the selected user, group, or realm, the appropriate 
application function is highlighted, and the Left Arrow button is clicked. The application 
name, function name, and default entitlement setting (Allow or Deny) will then appear in the 
Basic Entitlements list box for the user. 

Detailed Description Text (101) : 

If a basic entitlement for a user is deleted, the access privileges of that user to that 
application function revert to the next available setting. If the user is in a group or realm 
with basic entitlements set for that application function, those privileges apply. If that is 
not the case, default settings apply. 

Detailed Description Text (102): 

When a basic entitlement for a group is deleted, users in that group, who do not have basic 
entitlements set, revert to the default entitlement settings for that application function. 
Since entitlements at the user level override entitlements at the group level, users with basic 
entitlements set see no change in their access ability. 

Detailed Description Text (103) : 

When basic entitlements for a realm are deleted, access privileges for users in groups in that 
realm are determined by the appropriate user entitlements settings (if they exist) , group 
entitlements settings (if they exist), or default entitlements settings, in that order. 

Detailed Description Text (125): 

Referring to FIG. 23, the Administrators page is the tool for defining security administrators 
and administrative duties. An administrator can be given the power to control any selection of 
users, groups, or realms, any applications, and any privileges. The design of the 
administrative system will now be described in more detail. 

Detailed Description Text (197) : 

The security and access management system 10 can leverage data that resides in an LDAP 
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directory like other LDAP-enabled applications. By leveraging the LDAP directory data, 
organizations can centrally manage user information in the directory and use the security and 
access management system 10 to define security policy and to secure Web resources. 

Detailed Description Text (198) : 

In a preferred embodiment, the security and access management system 10 provides a Web security 
system that combines native LDAP support with powerful Oracle database scalability. This 
combination of the security and access management system 10 and LDAP provides many benefits and 
enables: 1) companies to use an LDAP directory server to centrally store and manage user 
information, such as passwords, e-mail addresses, contract numbers, and other common user 
attributes; 2) companies to use multiple LDAP directory servers, including those from Netscape 
or Novell; 3) Web applications to incorporate users' LDAP attributes to dynamically generate 
personalized Web pages; and 4) Business to business application and data integration across 
firewalls via LDAP. 
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A system and method are provided for providing an activity framework. First, a plurality of 
sub-activities are created which each include sub-activity logic adapted to generate an outpu 
based on an input received from a user upon execution. Second, a plurality of activities are 
defined which each execute the sub-activities in a unique manner upon being selected for 
accomplishing a goal associated with the activity. Selection of one of the activities is 
allowed by receiving user indicia. An interface is depicted for allowing receipt of the input 
and display of the output during execution of the sub-activities associated with the selected 
activity. 
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Drawing Description Text (25) : 

FIG. 16A is a flowchart depicting a method for managing user information ; 
Detailed Description Text (365) : 

The Membership Directory Manager is used to manage administration and access control for 
Membership Directory objects, including users and groups, and schema objects. The Membership 
Directory stores objects used by all Site Server features. 

Detailed Description Text (459) : 

FIG. 16A depicts a method 1600 for managing user information . A site server is provided in 
operation 1602. The side server has information stored on it including preferences, roles, and 
details relating to users. A database separate from the site server is provided in operation 
1604. The database has information stored thereon including preferences, roles, and details 
relating to the users. In operation 1606, an identity of one of the users is authenticated. A 
single interface is displayed in operation 1608, which provides the user access to both the 
site server and the database upon authentication of the identity of the user. In operation 
1610, the user is allowed to view and change the information that is stored on the site server 
and the database and that is associated with the user. The single interface is tailored in 
operation 1612 based on the information associated with the user. 

Detailed Description Text (475) : 

With reference to FIG. 16B, the User framework 1630 enables two approaches to maintaining user 
information. The framework supports two approaches by exposing a single set of interfaces that 
can be used by either of the two user framework components. With the AFUserSS component 1632, 
the framework interfaces with the Microsoft Site Server products Personalization and Membership 
Directory. For this user component, SiteServer holds and manages user information . With the 
AFUserDB component 1634, the framework interfaces with database tables. For this user 
component, database tables define the user information. 

Detailed Description Text (754) : 

A component within MTS utilizes role-based security to determine who may or may not have access 
to a specific COM component. A role is a symbolic name that defines a group of users for a 
package of components. Roles extend Windows NT security to allow a developer to build secured 
components in a distributed application. 

Detailed Description Text (900) : 

The web server has static security for each page and security to maintain control of the flow 
between pages. The static security uses the Windows NT group for each user role to restrict 
access to each page. For the flow control, the developer uses the Session framework to restrict 
the ordering of page requests. The allowed ordering of pages are entered into the Session 
database tables. 

Detailed Description Text (1123) : 

Who needs access to the application, i.e. what is your user group ? Is it all Internet users or 
some authorized subset? Does one only have one type of user or are multiple levels of 
authorization required? 

Detailed Description Text (1594): 
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Select Intranet [Windows NT Authentication] Membership option. Next create the sample site. 
Right click on the "Computer name" under the Commerce Host Administration folder (Refer to FIG. 
62 — Computer Name is "ZIMMERD3" 6208) . Select New — Commerce Site Foundation. Create New Site 
Foundation Wizard 6300 appears. FIG. 63 is an illustration of a Create New Site Foundation 
Wizard. Select to create site on "Site Server Commerce Membership Samples Web Site" option 
6302. Follow steps in the wizard. After Site has been created, right click on Default Web Site 
in Internet Information Server, select Task — Membership Server Mapping . . . change the 
Membership Server Mapping back to "Commerce Membership Server". 

Detailed Description Text (2911) : 

Multilevel Security: PVCS allows security by user, group and archive. 
Detailed Description Paragraph Table (70) : 

Title Description & Responsibilities Technical Typically an IS department head with 
responsibility for Manager the purchase and/or support of hardware and software. In 
configuration management, this role is more software oriented. Other responsibilities include: 
Assign development and support staff to projects. Review (accept/reject) technical approach 
proposed for projects. Monitor development and support budgets and personnel-status of 
projects. Network System This individual is responsible for the installation, Administrator 
maintenance and support of the Unix and Windows NT servers including operating system, file 
systems, and applications. Other responsibilities include: Operating system installation, patch 
updates, migrations and compatibility with other applications. Installation and support of 
proper backup/restore systems. Installation and support of other peripherals required for 
installed (or to be installed) applications. Proper portion of the present description of 
hardware configuration and setup. Maintenance of Windows Domain users and Groups as well as 
other security issues. Database The DBA is responsible for proper creation and Administrator 
maintenance of production and system test databases. The integrity of the database, as well, as 
recovery using backup/restore and logging, are priorities for the DBA. Other responsibilities 
include: Assist developers in maintaining development databases by automating backup/recovery, 
applying changes to database schema, etc. Provide support for tuning, sizing and locating 
database objects within allocated database space. Applying change requests to databases. 
Ideally maintain entity relationship diagrams for databases. Maintenance of database users and 
other database- related security issues Source Code Individual responsible for development and 
Librarian maintenance of source code control tools, training materials, and storage areas. The 
Source Code Librarian is also responsible for the integrity of the source code environment. 
Additionally: Establishes source code directories for new projects. Provides reports on source 
code environment status and usage per project. Provides assistance/information as needed 
regarding objects to check out for system test. Assists production operations in 
building/moving all ' applications into production. Business Analyst Individual or individuals 
responsible for managing the detailed design, programming, and unit testing of application 
software. Other responsibilities include: Developing/ reviewing detailed designs. 
Developing/reviewing unit test plans, data, scripts, and output. Managing application 
developers. Application Individual or individuals responsible for making Developer changes to 
source code defined by management. This person typically: Checks source code out of the source 
code environment. Modifies code per user requirements or other development portion of the 
present description. Unit tests modifications in the development environment. Checks modified 
code back into source code environment in preparation for system test. System Tester This 
person or team is directly responsible for system Integration Tester testing or integration 
testing of an application prior to implementing in production. This may also take the form of 
performance testing. Typically, a system or integration test person or team may be responsible 
for: Following production operation procedures for installing a new application in the 
appropriate test environment. Develop and execute a test plan to properly exercise new 
application including new, modified, and unmodified functionality. Reporting results of test. 
Vendor For the purposes of this portion of the present description, a vendor is defined as an 
organization from which software has been purchased for use by the clients systems. 
Alternatively, a vendor may distribute final installable media in the form of tape or CD with 
upgrades or new release of application. A vendor may: Make modifications to application code at 
vendor offices or within the engagement development environment. Provide necessary information 
to Source Code Librarian to store new code. Assist Source Code Librarian in transferring 
modifications to the engagement system test environment. Participate in system test (or 
performance test) . 
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